Last post Aug 06, 2017 12:58 AM by DA924
Aug 03, 2017 07:51 PM|PhillD|LINK
I'm building an application that displays customers billing data and I would like some advice on the best way to pass parameters to Views or Models without allowing the user to load data they aren't supposed to see.
For example, suppose I created an action result as follows:
public ActionResult InvoiceDetail(int InvoiceNumber)
The user could easily manipulate the InvoiceNumber passed in the URL to load a different invoice that doesn't belong to them. I currently use Identities to authenticate the user so I could store the Invoice Number in the user cookie and load the detail
based on the cookie value but, are there other/better ways of handling it?
Aug 03, 2017 09:49 PM|mgebhard|LINK
How does the user enter the InvoiceNumber? Perhaps a select list can reduce the threat.
If you want to verify the invoice belongs to the user then simply filter the result set by the userId. If the invoice does match the user then the result set will be empty.
Aug 03, 2017 11:16 PM|PhillD|LINK
Currently, the user would click a gridview row and the details page will be loaded however, when the browse loads the invoice details page the following URL is shown in the address bar
http://sitename.com/CustomerPortal/InvoiceDetails?InvoiceID=1234 etc. It would be very easy for the user to change the Invoice ID to 1235 and view another customers details.
I can think of several ways to handle it, e.g. passing the ID through the cookie so it's not sown used as a parameter in the Action Method or generating a random GUID in the database table and load the Invoice details from that ID instead. I just wondered
if there is a common/accepted method for handing problems like this. I'm sure it would be a problem for many different sites and data.
Aug 03, 2017 11:23 PM|PhillD|LINK
Responding to the last part of your comment, yes, I could filter the results based on the CustomerID as well as the invoice number, that would work just fine because the customer ID is already being passed through the cookie and not the URL. I was just
curious if there was another mechanism to stop users from accessing data they shouldn't.
Aug 06, 2017 12:58 AM|DA924|LINK
I am looking into the info in the below link. It may be of interest to you. I think it will be simple to implement if using SoC in MVC and using services.